Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Guidelines for Establishing Board-level Risk Committees

Although many large bank holding companies already have board-level risk committees, they will likely become even more prevalent with rule-making set in play under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). Under Dodd-Frank, the Federal Reserve has been given the task of issuing new rules. The parameters of these new rules include requiring certain large banks to establish a board risk committee with a formal written charter approved by the company’s board of directors.

“There was a recognition that traditional risk and certain aspects of governance models had their shortcomings,” says Henry Ristuccia, partner, Deloitte & Touche LLP, and and global leader, Governance, Risk and Compliance Services, Deloitte Touche Tohmatsu Limited. “So the intent is to clarify that a different approach is needed, a different structure to bring a focus on risk at the board level, and that is what Dodd-Frank is recommending.” U.S. banks and bank holding companies with greater than $50 billion in assets, those with greater than $10 billion in assets and that are publicly traded and certain other non-bank financial companies designated as systemically important would be subject to the rules requiring a risk committee and a charter.

The risk committee charter would be among a board’s main tools for disclosing its approach to risk oversight. In writing the charter, the board and the risk committee will determine the risk committee’s role in risk governance. As public documents, board committee charters specify the committee’s responsibilities and how it carries them out. The risk committee charter discloses the board’s involvement in, and approach to, risk oversight, the committee’s relationship to the Chief Risk Officer (CRO) and to management’s risk committee and other elements of risk oversight.

In developing risk committee charters, boards may wish to include language specifying such issues as the board risk committee’s separate purpose from that of other committees and whether it has been established to exercise enterprise-wide risk-oversight responsibilities. “The more precise the charter with respect to the board’s oversight, the better positioned the risk committee will be in general to exercise oversight,” says Maureen Errity, a director in Deloitte LLP’s Center for Corporate Governance, who authored Deloitte’s Risk Committee Resource Guide for Boardswith Mr. Ristuccia.

“A detailed charter should enable the committee to set matters such as an annual meeting calendar based on the responsibilities and required meeting frequency, as well as specific risk issues and activities to be discussed,” adds Ms. Errity.

In addition, it may be appropriate to coordinate the risk committee meeting calendar with those of the audit, compensation and nominating/governance committees so that the risk committee will, at a minimum, be made aware of the risk-related activities of those committees and ensure there are no gaps. Coordinating their calendars enables the committees to coordinate their activities and use of resources to maximize risk-oversight efficiency.

Developing and Using the Risk Committee Charter

The following guidelines can be considered by a board or risk committee as they develop and use a risk committee charter:

—Develop the Charter as a Group—Risk committee members, under the guidance and with the approval of the full board, could develop the charter as a group, perhaps with the assistance of an external facilitator. While the actual writing of the charter can be delegated to management, input should be obtained from the board and committee members regarding the charter principles and risks to be overseen, as well as whether the CRO will report to the risk committee and other important points. Ideally, all risk committee members would agree to the charter and approve it—as would the full board.

—Use the Charter as a Guide—A risk charter is not to be written and shelved but instead to be put to use. When the committee is in doubt as to its responsibilities, or feels the need to assert its risk governance role with senior executives, it can reference the charter for guidance. Providing the charter as part of the orientation package for new members of the board and its various committees may help onboarding. The charter also may be used in identifying a candidate to serve as the committee’s risk expert and other committee members, who may be recruited from among existing board members or elsewhere.

—Review the Charter Annually—A charter also may require that the board and risk committee review the charter annually to update the committee’s role in risk oversight. The charter should be updated as needed to keep the committee’s structure and practices in line with regulatory requirements and the organization’s needs. In addition, it could be reviewed periodically by a qualified external third party to assess whether the committee’s structure and responsibilities reflect leading practices in the industry.

Risk Committee Composition

Risk committee members should be knowledgeable about risk governance and management and about the risks the organization faces and methods for managing them. It may be advantageous to have risk committee members with knowledge of business activities, processes and risks appropriate to the size and scope of the enterprise, as well as the time, energy and willingness to serve as active contributors.

The proposed Dodd-Frank rules require that the board risk committee “have at least one member with risk management expertise that is commensurate with the company’s capital structure, risk profile, complexity, activities, size and other appropriate risk factors.” Further, it defines risk management expertise as follows:

—An understanding of risk management principles and practices with respect to bank holding companies or depository institutions, or, if applicable, non-bank financial companies, and the ability to assess the general application of such principles and practices.

This risk expert role is somewhat analogous to the role of the financial expert that the Sarbanes-Oxley Act of 2002 stipulated for audit committees. In practice, many of the requirements of the financial expert were left to the judgment of the board; it’s possible this may be the case for the risk expert as well. However, the finance and accounting profession is much more formally developed than that of risk management, given the CPA credential, the auditing process for public companies and the broad acceptance and long tradition of CFOs. Given the developing nature of risk management and the CRO position, there is no widely accepted credential or comparatively broad talent pool from which to recruit risk experts.

To fulfill their obligations under the rules, organizations should consider certain specific qualifications to fill the role of board risk expert, including persons with:

—Experience as a CRO, CEO, CFO or CCO who has successfully owned or managed a risk management program at an organization of comparable size, scope, operations and complexity.

—Experience successfully managing significant risks—and a range of risks (beyond a single risk, such as credit or market risk) at a similar organization.

—Organizational and leadership skills required to work with committee members, the board and management to further the cause of sound risk management in the organization.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.